The Rootkit Primer - Below Gotham Labs

Recommendations

Info

Call Tables User-Mode Call Table Shorthand Description Import Address Table IAT Specifies DLL imports Kernel-Mode Call Tables (MSFT) Shorthand Description System Service Descriptor Table SSDT Stores system call addresses IRP Dispatch Table Driver-specific, routes IRPs Kernel-Mode Call Tables (Intel) Shorthand Description Global Descriptor Table GDT System-wide, install call gates Local Descriptor Table LDT Task-Specific, install call gates Interrupt Descriptor Table IDT Stores interrupt handlers Machine Specific Registers MSRs Used by SYSENTER © Below Gotham Labs, 2009 14
Kernel Objects The Windows OS is “Object Based” NOT talking about C++ Objects (as in Object-Oriented Program) Windows kernel objects don’t possess member routines template class ArrayStack: public Stack { public: ArrayStack(int); ~ArrayStack( ); virtual bool DumpOn(ostream &); virtual bool Pop(T &); virtual bool Push(T &); private: unsigned Capacity; unsigned Contents; T * Data; }; © Below Gotham Labs, 2009 15
Page 1 and 2: The Rootkit Primer Fear and Loathin
Page 3 and 4: What is a Rootkit? Here’s how the
Page 5 and 6: Design Goal != Implementation Don
Page 7 and 8: Exploit-Based Deployment Method #1
Page 9 and 10: How Do Rootkits Execute? The IA-32
Page 11 and 12: Kernel-Mode Modification User-Mode
Page 13: Call Tables Call Table ~ array of f
Page 17 and 18: BOOL flag; if(flag) { //do somethin
Page 19 and 20: Filter Drivers Filter drivers are i
Page 21 and 22: Hypervisors Rootkit (i.e. hyperviso
Page 23 and 24: COM Objects Component Object Model
Page 25 and 26: Technique Countermeasures As in Gon
Page 27 and 28: Do We Need to Hide? Traditional roo
Page 29 and 30: Forensic Analysis © Below Gotham L
Page 31 and 32: Storage Media Analysis Forensic Dup
Page 33 and 34: Anti-Forensics Traditional rootkits
Page 35 and 36: Surviving Reboot To persist or not
Page 37 and 38: The Four Evil Masters Media Analysi
Page 39 and 40: Persist by Infection 0-Day Exploit
Page 41 and 42: Who’s Building & Using Rootkits?
Page 43 and 44: Crooks The Crooks Notable Features
Page 45 and 46: Suits The Suits Notable Features Ha
Page 47 and 48: Case Study : Vodafone Greece* Where
Page 49 and 50: See How Bad It Is? Moral of the Sto
Page 51 and 52: Remember This? © Below Gotham Labs
Page 53 and 54: For More Information 850 pages, Wor

The Rootkit Primer - Below Gotham Labs

Create successful ePaper yourself

Delete template?

Save as template?